diff options
| author | tv <tv@krebsco.de> | 2019-02-10 14:22:54 +0100 |
|---|---|---|
| committer | tv <tv@krebsco.de> | 2019-02-10 14:22:54 +0100 |
| commit | 081af8ac42f6c2cf4e2afefd1ad3853f1eecd853 (patch) | |
| tree | f282e542878208f4e792188d3351745dbbe79fee | |
| parent | b5e608263981d994315e194a600d4bb930b9f17c (diff) | |
tv iptables: add extra{4,6}
| -rw-r--r-- | tv/3modules/iptables.nix | 55 |
1 files changed, 42 insertions, 13 deletions
diff --git a/tv/3modules/iptables.nix b/tv/3modules/iptables.nix index 56861dc..3f1df92 100644 --- a/tv/3modules/iptables.nix +++ b/tv/3modules/iptables.nix @@ -9,6 +9,33 @@ let { config = lib.mkIf cfg.enable imp; }; + extraTypes = { + rules = types.submodule { + options = { + nat.OUTPUT = mkOption { + type = with types; listOf str; + default = []; + }; + nat.PREROUTING = mkOption { + type = with types; listOf str; + default = []; + }; + nat.POSTROUTING = mkOption { + type = with types; listOf str; + default = []; + }; + filter.FORWARD = mkOption { + type = with types; listOf str; + default = []; + }; + filter.INPUT = mkOption { + type = with types; listOf str; + default = []; + }; + }; + }; + }; + api = { enable = mkEnableOption "tv.iptables"; @@ -37,19 +64,19 @@ let { default = []; }; - extra = { - nat.POSTROUTING = mkOption { - type = with types; listOf str; - default = []; - }; - filter.FORWARD = mkOption { - type = with types; listOf str; - default = []; - }; - filter.INPUT = mkOption { - type = with types; listOf str; - default = []; - }; + extra = mkOption { + default = {}; + type = extraTypes.rules; + }; + + extra4 = mkOption { + default = {}; + type = extraTypes.rules; + }; + + extra6 = mkOption { + default = {}; + type = extraTypes.rules; }; }; @@ -112,6 +139,7 @@ let { "-o lo -p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22" ]} ${formatTable cfg.extra.nat} + ${formatTable cfg."extra${toString iptables-version}".nat} COMMIT *filter :INPUT DROP [0:0] @@ -129,6 +157,7 @@ let { ++ ["-i retiolum -j Retiolum"] )} ${formatTable cfg.extra.filter} + ${formatTable cfg."extra${toString iptables-version}".filter} ${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([] ++ optional (cfg.accept-echo-request == "retiolum") accept-echo-request ++ map accept-tcp (unique (map toString cfg.input-retiolum-accept-tcp)) |